The guidance, released March 19th, applies standard AML rules to DeFi and the Non-Fungible Token (NFT) market. So far, this is a public consultation on a new draft of the FATF’s recommendations. But when it comes to the FATF, even a first draft matters.
The FATF is the global source of advice on financial security, integrity, and safety. National regulators like FinCEN, the Financial Crimes Enforcement Network, take their cue from FATF. And while the FATF has no statutory powers, members that don’t comply can ultimately be expelled.
All this means that when the FATF releases guidelines on an underregulated space like the digital assets industry, people across the sector pay attention.
It’s also the first significant effort to regulate the international DeFi industry, which is still in its infancy but already attracting considerable investment and attention. DeFi works by using multiple rapid digital asset transactions to move capital where it can be productive. Its requirement for speed makes it uniquely sensitive to any regulation that might slow it down or selectively slow certain jurisdictions. Non-Fungible Tokens are also addressed, with some clarification of how the FATF intends to consider and regulate them.
And the new guidelines address decentralized applications and exchanges, establishing a worrying precedent for more intrusive regulations of the whole digital economy in the future.
DeFi, DEXs, and VASPs
The FATF considers digital assets “Virtual Assets”, and defines many businesses working with them as “Virtual Asset Service Providers”.This now includes Decentralised EXchanges (DEXs) and DeFi platforms, which will need to meet the same Know-Your-Customer (KYC) and other AML requirements as traditional finance companies.
The FATF’s definition of a VASP is broad. A business is a VASP if it:
- Exchanges VAs and fiat currencies
- Exchanges one or more VAs
- Transfers VAs
- Safekeeps, administers, or supplies instruments facilitating control over VAs
- Participates in or provides financial services related to an issuer’s offer or sale of a VA
Clearly, this includes ICOs, DEXs, custodians, onramps, and nearly every other participant in the digital asset ecosystem.
In turning its eye to DeFi applications, the FATF has drawn the net wider by preferring the term DApp, meaning any decentralized or distributed application. DeFi applications are simply financial DApps; the FATF’s guidance on this point is worth quoting in full:
‘A DApp itself (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology.
However, entities involved with the DApp may be VASPs under the FATF definition. For example, the owner/operator(s) of the DApp likely fall under the definition of a VASP, as they are conducting the exchange or transfer of [virtual assets] as a business on behalf of a customer.
The owner/operator is likely to be a VASP, even if other parties play a role in the service or portions of the process are automated. Likewise, a person that conducts business development for a DApp may be a VASP when they engage as a business in facilitating or conducting the activities previously described on behalf of another natural or legal person.
The decentralization of any individual element of operations does not eliminate VASP coverage if the elements of any part of the VASP definition remain in place.’ (My emphasis)
This establishes a precedent for digital asset businesses. Blockchains are of their nature decentralized and outside the control of their founding entities; yet, the FATF recommends that founding entities be responsible for them anyway. While businesses that only use blockchain-based tools, rather than developing them, won’t be directly affected, this seems restrictive toward Dapps and the blockchains they’re built on.
The FATF goes on:
‘The use of an automated process such as a smart contract to carry out VASP functions does not relieve the controlling party of responsibility for VASP obligations. For purposes of determining VASP status, launching a self-propelling infrastructure to offer VASP services is the same as offering them, and similarly commissioning others to build the elements of an infrastructure, is the same as building them.’
These regulations could make it more challenging to create a decentralized application or platform that receives or handles financial transactions. Many DeFi businesses will now be hastening to feed back to the FATF about where the line should be; many more will be preparing to be regulated after the April 20th deadline for comments.
NFTs are sometimes VAs, sometimes not
NFTs previously lay outside the FATF guidelines, which applied only to digital “assets that are fungible”. However, the new guidance has replaced this phrase with “assets that are convertible and interchangeable”, which is a significant change seemingly aimed at the burgeoning NFT market.
However, the new guidance doesn’t claim FATF purview over all NFTs. Instead, it draws the distinction between NFTs with secondary markets or other potential use cases that could be leveraged for money laundering or terrorist financing, and others. If the market can treat an NFT as a VA — if it can be used in transactions after issue, essentially — the FATF will view it and recommend it be regulated as a VAs.
Stablecoins are VAs and subject to FATF standards
The FATF has also come to some conclusions regarding what it terms “so-called stablecoins”, recommending that countries analyze and mitigate the ML/TF risks before launch — particularly for stablecoins that are to be used for P2P transactions.
The FATF recommends risk mitigation, including “limiting the scope of customers’ ability to transact anonymously and/or… ensuring that AML/CFT obligations of obliged entities within the arrangement are fulfilled, e.g., by using software to monitor transactions and detect suspicious activity”.
CBDCs (Central Bank Digital Currencies) are not regarded as stablecoins and will instead be subject to similar standards to fiat currencies. VA escrow services, including those operating by smart contracts, brokerage services, advanced trading services, and custodians, are now considered VASPs. Assets are not exempt from the FATF Recommendations because of their format, similar to how the SEC claims tokens as securities based on functionality rather than technical specs. No asset should be considered entirely beyond the FATF’s purview.
Again, this is relatively dry stuff, but it has far-ranging implications for the digital asset space; the FATF intends to regulate all financial trading worldwide, digital or otherwise. That isn’t necessarily a problem — we’ve discussed at length the limitations of purely structural or programmatic solutions to business problems. Some sensible regulation is necessary.
However, there could be a disconnect between the regulations the FATF wants to impose, and how blockchain-based platforms actually function.
VASPs should assess and mitigate PF risks
The FATF defines Proliferation Financing (PF) as providing funds for manufacture, development, dealing, or use of nuclear, chemical or biological weapons and delivery and support systems for them. It’s an addition to the FATF’s list that includes terrorist financing and money laundering, that the world financial system should be attempting to insulate itself from and starve of funds.
The FATF says VASPs should begin to assess and mitigate these risks, and is in the process of developing separate, specific guidance on this point, which is likely to mirror CFT rules. If you’re looking to get out ahead of what is expected to be new rules in 2022 or thereabouts, it would make sense to begin applying the same rules your organization already uses for AML and CTF to counter-proliferation efforts.
Specific guidance on Travel Rule implementation
The FATF doesn’t like the anonymity of digital asset exchanges. Whether the pseudo-anonymity of “mainstream” digital asset finance or the deliberate pseudonymity-by-design of the most secretive exchanges, the digital asset world is strongly tilted in favor of users’ ability to conceal their true identities.
This has upsides, but makes digital assets the chosen tool for illegal financial activities too. The FATF is moving to apply its Travel Rule to digital assets too, to deanonymize digital finance.
The Travel Rule mimics the Travel Rule of the US Banking Privacy Act. It requires digital fund transfer creators and beneficiaries to exchange descriptive information, in an attempt to deanonymize digital asset transfers. This will present serious difficulties in networks that are pseudonymous by design.
The new guidance lays out how VASPs should implement the Travel Rule. It says VASPs that have not implemented the rule should be considered higher-risk, and that VASPs should undertake counterparty VASP due diligence before transmitting the required information.
Originating VASPs can and should require Travel Rule compliance from beneficiaries, either by contract or business practice, regardless of lack of regulations in the beneficiary’s jurisdiction. These business decisions should be made by VASPs individually based on their own risk-based analysis.
Both originator and beneficiary VASPs should screen transactions to ensure their counterparty is not a sanctioned name. It’s acceptable to submit originator and beneficiary information in batches as long as they are submitted immediately and securely per FATF standards. Post fact submission should not be permitted — the submission should always occur before or at the same time as the VA transfer.
When making transactions to or from unhosted wallets, VASPs must still collect the required information. Countries should consider requiring VASPs in their jurisdiction to treat unhosted wallet transfers as higher-risk transactions requiring enhanced scrutiny and limitations.
New best practices for counterparty VASP due diligence
Counterparty due diligence is one of the cornerstones of the traditional financial world. It’s a bulwark against crimes of every kind, but it’s also a significant overhead.
The digital asset world ostensibly has structural solutions — the security of blockchains makes them impenetrable to many traditional financial crimes; its combination of perfect, immutable record-keeping of wallet-to-wallet transactions and relative anonymity means many conventional forms of financial crime are near-impossible.
However, these factors offer no protection against bad actors using the network to finance terrorism, acquire WMDs, or money laundering from significant crime. The Travel Rule is intended to put up barriers to these actors.
When implementing the Travel Rule, VASPs should conduct counterparty due diligence. The FATF recommends a three-phase approach:
Determine whether the VA transfer is with a counterparty VA or an unhosted wallet or other service.
Identify the counterparty VASP
Assess whether the counterparty VASP is an eligible counterparty to send customer data to and to have a business relationship with.
The FATF says blockchain analytics can be used to assess VASP counterparties and identify discrepancies; counterparty VASP due diligence should be completed before the first transaction, and results should be subject to periodic review.
VASP licensing and registration
VASPs are licensed and registered, though the specifics vary from country to country. The FATF standards give jurisdictions flexibility when applying licensing or registration to VASPs.
However, it does lay out minimum standards. These include requiring VASPs to be licensed or registered in the jurisdictions where they are created. Jurisdictions may also require the registration of VASPs that offer products or services to customers in their jurisdictions.
National authorities should have mechanisms for monitoring VASPs and the VASP sector. They should identify legal or natural persons that carry out VA activities or operations without the requisite license or registration. These systems are designed to make it increasingly difficult for VASPs to operate without regulatory oversight.
Information-sharing amongst VASP supervisors
Cross-border information-sharing with international counterparts by both authorities and the private sector is critical for the VASP sector. It’s an intrinsically cross-border, multijurisdictional industry and requires a similar approach from regulators and VASPs themselves.
New Principles of Information Sharing and Co-operation between VASP Supervisors are published in the new guidance. This includes guidance on identifying Supervisors and VASPs and best practices for information exchange and cooperation between jurisdictions.
In brief, each country must designate at least one competent authority as their supervisor of VASPs for AML/CFT purposes. This competent authority must be clearly identified for AML/CFT purposes and cannot be a self-regulatory body.
If a VASP operates across multiple jurisdictions, a primary supervisor can be identified if the VASP has a significant proportion of its business in a particular jurisdiction.
Peer-to-Peer (P2P) transactions are central to the digital assets space; on-chain transactions are primarily P2P, and DEX transactions are also P2P; CEX (Centralized EXchange) and on and off-ramp transactions involve third parties, as do hosted wallets and transactions performed by custodians.
As such, changes to the way the FATF views P2P go to the heart of the industry, and the FATF’s new guidance includes new advice on P2P transactions, and speaks to an intention to move the digital asset space toward a network of professionals handling other people’s money rather than a purely P2P network.
Transactions should be considered higher-risk if they are to or from non-obliged entities like unhosted wallets. So should transactions whose transaction chains include P2P transactions. The FATF also offers a list of recommended risk mitigation tactics for high-risk transactions or jurisdictions:
- The VA equivalent of Currency Transaction Reports (CTR), used in the US banking system for transactions over $10,000
- Delicensing VASPs that allow transactions to or from non-obliged entities
- Enhanced record-keeping and EDD (Enhanced Due Diligence) requirements
- Enhanced supervision for VASPs
- Public guidance and advice about the risks of P2P transactions
The chance to respond
There’s still time to register concerns with the FATF, until the April 20th deadline. The FATF is asking for feedback from private stakeholders, with these areas of focus:
1. Does the revised Guidance on the definition of VASP (paragraphs 47-79) provide more clarity on which businesses are undertaking VASP activities and are subject to the FATF Standards?
- Is further guidance needed on how the FATF Standards apply to various business models, as stated in paragraphs 56-59? How should the Guidance further address the challenges in applying the definition of VASP to businesses which decentralize their operations across multiple parties?
- Is more guidance necessary on the phrase “for or on behalf of another natural or legal person” in the FATF definition of VASP? What are the challenges associated with applying the business-customer relationship concept in the VASP context?
- Do the clarifications on the “expansive” approach to the definition of VASP in identifying and policing the “regulatory perimeter” for VASPs provide countries and the private sector with enough guidance? What additional clarity can be given to make the perimeter clearer?
2. What are the most effective ways to mitigate the money laundering and terrorist financing (ML/TF) risks relating to peer-to-peer transactions (i.e., VA transfers conducted without the use or involvement of a VASP or other obliged entity, such as VA transfers between two unhosted wallets) (see paragraphs 34-35 and 91-93)?
- How are peer-to-peer transactions being used for ML/TF purposes and what options are available to identify how peer-to-peer transactions are being used? What role and implications (e.g., benefits) do peer-to-peer transactions and unhosted wallets have in VA ecosystems?
- What specific options are available to countries and VASPs to mitigate the ML/TF risks posed by peer-to-peer transactions?
- Are the risk mitigation measures proposed in the Guidance in paragraphs 91-93 appropriate, sufficient and feasible?
3. Does the revised Guidance in relation to the travel rule need further clarity (paragraphs 152-180 and 256-267)?
- Are there issues relating to the travel rule where further guidance is needed? If so, where? Please provide any concrete proposals.
- Does the description of counterparty VASP due diligence clarify expectations, while remaining technology neutral and not prescribing how VASPs must undertake this process (see paragraphs 172-177 and 261-265)?
4. Does the revised Guidance provide clear instruction on how FATF Standards apply to so-called stablecoins and related entities (see Boxes 1 and 4 and paragraphs 72-73, 122 and 224)?
- Is the revised Guidance sufficient to mitigate the potential risks of so-called stablecoins, including the risks relating to peer-to-peer transactions?
5. Are there any further comments and specific proposals to make the revised Guidance more useful to promote the effective implementation of FATF Standards?
The FATF asks for responses to be sent to [email protected] with the subject line “Comments of [author] on the draft revised VASP Guidance”, and the deadline for responses is April 20th 2021 (18:00 UTC).
It also asks that you indicate your organization’s name, the nature of your business (VASP, technology provider, academic, policy body, other regulated entity), and your contact details.
The recommendations are available to download in full here.